(Cloud) Tip of the Day: UPN sync changes in Azure AD

Today’s (Cloud) Tip…

We have made a couple pretty big changes to how UPN syncs and how soft matching works when syncing to Azure AD.

Synchronization of UPN Updates for Licensed/Managed Users

Historically we have blocked all updates to UserPrincipalName via Sync from On-premises if the User is managed (non-federated) and has been assigned a license. This behavior is described under scenario 2 of article User names in O365, Azure or Intune don’t match on the on-premises UPN or alternate login ID (in the process of being updated).

This feature changes that behavior, allowing the update to be processed. This has been enabled by default in tenants created after June 15, 2015 but tenants created before June 15, 2015 now have the option to opt-in to this behavior by running the PowerShell cmdlet:

Set-MsolDirSyncFeature -Feature SynchronizeUpnForManagedUsers-Enable $True

Note: Unfortunately, this does not affect the federated domain to federated domain rename restriction described in scenario 3 of this article https://support.microsoft.com/en-us/kb/2669550.

UserPrincipalName Soft Match (Preview)

When this feature is enabled our normal soft-match logic still applies, but if we fail to match on the primary SMTP we will fall back and attempt a match based on UserPrincipalName instead. This is particularly useful for customers who need to match on-prem Active Directory accounts with existing accounts created in the cloud, but are not using Exchange Online and therefore generally don’t have a reason or means to set SMTP in the cloud.

The documentation for this feature is coming soon, but the customer can enable this feature by running the PowerShell cmdlet

Set-MsolDirSyncFeature -Feature EnableSoftMatchOnUpn -Enable $True

Identity Synchronization and Duplicate Attribute Resiliency

Duplicate Attribute Resiliency is a feature in Azure Active Directory designed to eliminate friction caused by UserPrincipalName and ProxyAddress conflicts when running one of Microsoft’s synchronization tools. The UserPrincipalName and ProxyAddress attributes are generally required to be unique across all User, Group, or Contact objects in a given Azure Active Directory directory.

Instead of completely failing to provision or update an object with a duplicate attribute, Azure Active Directory “quarantines” the duplicate attribute which would violate the uniqueness constraint. If this attribute is required for provisioning, like UserPrincipalName, the service will assign a placeholder value. The format of these temporary values is


If the attribute is not required, like a ProxyAddress, Azure Active Directory simply quarantines the conflict attribute and proceeds with the object creation or update.

For more information about this, see https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnectsyncservice-duplicate-attribute-resiliency/